search cancel

Malware is detected as being sent from Messaging Gateway scanners that use DMARC.

book

Article ID: 175104

calendar_today

Updated On:

Products

Messaging Gateway

Issue/Introduction

You have enabled DMARC and DMARC failure reporting and are now seeing network filtering processes, such as a Network Intrusion Detection, alert on SMTP traffic being sent by Messaging Gateway. The alerts indicate that Messaging Gateway is sending message containing malware attachments, or otherwise suspicious content such as links or spam, depending on the detection processes.

Environment

Messaging Gateway with DMARC and DMARC failure reporting enabled.

Cause

The DMARC protocol dictates that forensic/failure reporting contains a copy of the message that failed DMARC checking. When a message connection is received by Messaging Gateway and fails DMARC checking, a failure report containing the message that would have been received could be sent. The DMARC DNS configuration for the owning domain would need to be configured to request forensic/failure reports and Messaging Gateway would need to have failure reports enabled.

Resolution

To mitigate this issue, DMARC failure reporting would need to be disabled or the network filtering process would need to exempt messages originating from the Messaging Gateway that are sent from the DMARC failure reporting sender address.